Those wary of password-management sites got another reason to question their security after hackers compromised industry leader LastPass.
In June, cyber-attackers accessed email addresses, password reminders and the authentication information LastPass uses to allow access to your account. While the company assured accounts (and stored passwords) were likely still safe, it did urge users to change their master passwords.
LastPass detected a problem its databases similar to the one that signaled the most recent hack back in 2011, also urging users to change their master passwords.
Is this a big deal?
Luckily, a hack doesn’t mean thieves who access the company’s servers can sign in and open up a document with all your passwords.
Here’s the gist of how the cross-platform manager protects your data: LastPass stores only heavily-encrypted bundles of passwords and the sites they belong to. The service doesn’t store the encryption key to your passwords; simply put, all the coding and decoding happens only on your computer, where a backup copy of the sites records is stored.
Why use a password management site?
Security and convenience are the main drivers. LastPass, and similar services, don’t just act as a dumping ground for your (likely less-than-secure) passwords. Instead, password management tools can help users create and manage secure, unique passwords for every site.
Many people, for the sake of convenience, use a few versions of a handful of passwords across sites. Most secure websites have upped password requirements (the amount and type of characters required), but it’s still virtually impossible to remember a unique password for every site.
That could spell trouble if thieves gain access to one of your passwords. If your banking information, for example, is exposed and you use the same password to log in to your investment service and Amazon account, a would-be thief just got a lot more access.
The passwords created through sites like LastPass aren’t ones you could remember — think a string of random numbers, letters and symbols — and thus are a whole lot tougher for hackers to guess.
Should I use a password-management site?
The June hack certainly proves no site is off limits for cyber-attackers, but LastPass’ security measures do see to have held up.
If you do use a password-management service, take advantage of as many layers of protection as you can. LastPass allows users the option of a two-factor authentication. That means someone with your master password won’t be able to access your account.
What if I still don’t trust a cloud-based service?
If you can’t get over the idea of storing your passwords in the cloud, there are other options. KeePass stores your passwords on your main computer, keeping them off a server that could get hacked but also out of reach if you ever need to access your passwords from another device. If someone steals your computer, your passwords will be easily retrievable.
One more word of wisdom: Don’t write your passwords, especially for sites used to access financial information, on a piece of paper. It could easily fall into the wrong hands.